Desktop infected with http://search.conduit.com/

MSGK161091
MSGK161091 used Ask the Experts™
on
Seems I got virus on my desktop , and I need help getting it removed.
While on computer using IE or Mozilla Firefox, I get redirected to the link below which is the most common of re-directions:
http://search.conduit.com/
I know nothing about this site, nor have I ever visited it (willingly).
It says it's powered by Google.
Someone mentioned to me that they checked out SEARCH.CONDUIT (which is included in the link above) and that it is some form of hijacker.
My computer has all the symptoms of an attack by search.conduit

I ran AVAST virus scan (which found nothing), and then I ran MALWAREBYTES ANTI-MALWARE (which nothing showed). First time MALWAREBYTES removed around 6 - 10 infected files but since everytime I run it says no issues found. But I am sure my desktop is under attack.

And also due to which my PC running DAM slow.
Would you please take a look?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
The fastest way would be to reset the browsers and use spybot from www.safer-networking.org to scan your system

For IE . goto -Tools - Advanced - Reset

For Firefox

goto the address bar and type about:config. Then change the vaules below

browser.search.defaulturl (reset to default)
browser.search.selectedEngine (reset to default)
browser.search.defaultenginename (reset to default)
browser.search.searchEnginesURL (set to blank)
Try looking in add/remove programs list, you might find conduit there.

Alternatively, look within the browser extensions and uninstall the un-needed browser extension.

Thanks.
MSGK161091Netbackup Storage Specialist

Author

Commented:
hi
i tried to reset as u said in firefix but still it ooens that site. IE seems ok as i see it opens google as home page
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Once you remove malware - it's a good practice to set your automatic updates to be downloaded and installed on weekly basis - this will improve your system immunity to such events. Make sure your browsers are up to date too. Good luck.

Commented:
MSGK161091,
  Goto add remove programs and unsinstall firefox.

Delete any folders from the program files folder.

Reinstall the new version

Make sure you run spybot to clean the registry.
Good, now that IE is ok. Let's work on firefox (I have firefox 3.6.15 on my pc, so including instructions from that version):

Tools->Add ons -> locate Conduit within Browser Extensions or Plugins and disable/uninstall.

Restart firefox to see the effect.
Following that, please run this online scanner:

http://www.eset.com/us/online-scanner/

Another thing, run disk defragmenter to speedup your system, it could also be an issue of fragmentation.
Technical Designer
Commented:
@MSGK161091,

If you are still facing issues then I would recommend you to run OTL and post the logs here.

OTL by OldTimer is a flexible, multipurpose, diagnostic, and malware removal tool. It's useful for identifying changes made to a system by spyware, malware and other unwanted programs. It creates detailed reports of registry and file settings, and also includes advanced tools and scripting ability for manual removing malware.

Download:
http://oldtimer.geekstogo.com/OTL/OTL.exe

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here
MSGK161091Netbackup Storage Specialist

Author

Commented:
Hi warturtle

I have checked there is nothing for  Conduit in Add/remove programs nor in brower extenstions.

Hi Lance_p

I am reseting my brower again and this time runing spybot as u suggested, I will let u know.
Author of the Year 2011
Top Expert 2006

Commented:
MSGK161091,
Conduit will sometimes be started by a program with a different name.
In addition to the advice above, look through ALL of the programs in the Add/Remove Programs applet and make sure that you know what each one is.

You should also look through your "Programs" folder and do the same check.

Click on the START button, then click on RUN, and type in MSCONFIG. Look through the Startup list and check again.

If you aren't sure what a program is/does, you can do a quick Google search or post the info back here.

What exact OS are you running?
Have you tried resetting the browser home page to something else??? It could be that Conduit is already out, but the homepage is still conduit.com, so that opens by default.
MSGK161091Netbackup Storage Specialist

Author

Commented:
Hi Lance_P

I ran spybot , it found few files infected and clean but when I ran again it found and cleaned but page was still opening after I reset firefox and chang homepage to Google. Seems spybot was not hard  enough to remove these

Hi warturtle

I ran EST cleaner and it found 15 threats & removed , which I have attached below . Please have a look.

Hi Younghv

I didn't found any thing in add/remove program neither in any of Program files folder.

Hi Ssharma

I ran OLT as you have said and attached OTL and Extra files here. Please find
threatsfound.ESTCleaner.txt
OTL.Txt
Extras.Txt
Sudeep SharmaTechnical Designer
Commented:
Hello MSGK161091,

EST Cleaner has removed some Malware, however we still need few things to be removed.

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

    Double-click OTL.exe to start the program.
    Copy and Paste the following code into the Custom Scans/Fixes textbox.
==================================================
:otl
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\EE_ComboFix\catchme.sys -- (catchme)
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3115642&SearchSource=2&q="
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A8415B7A-F661-4D31-92D7-4398E50483DF} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O20 - Winlogon\Notify\SDWinLogon: DllName - SDWinLogon.dll -  File not found
@Alternate Data Stream - 448 bytes -> C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZZ...ZZZZ.ZZ:1
@Alternate Data Stream - 440 bytes -> C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ.....Z..ZZZ:1
@Alternate Data Stream - 440 bytes -> C:\3590F75ABA9E485486C100C1A9D4FF06Z.Z.ZZ.Z...ZZZZZ:1
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BF2F6B5
@Alternate Data Stream - 178 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
:Files
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ.....Z..ZZZ
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZZ...ZZZZ.ZZ
C:\WINDOWS\tasks\SA.DAT
C:\Documents and Settings\SweetHome\Application Data\Mozilla\Firefox\Profiles\61sgutj1.default\searchplugins\conduit.xml
:Commands
[PURITY]
[EMPTYTEMP]
[emptyjava]
[EMPTYFLASH]
=========================================================
Then click the Run Fix button at the top.
Click OK
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
MSGK161091Netbackup Storage Specialist

Author

Commented:
Hi Ssharma

As you have requested, I ran  runfix with the given code by you. please the attachment for the  outcome.
olt-runfixes.txt
Sudeep SharmaTechnical Designer

Commented:
@MSGK161091,

So how's system working right now? Further issues?
MSGK161091Netbackup Storage Specialist

Author

Commented:
Hi Guys
Now my system working fine. no more opening that annoying search page. Happy to be here at EE and part of it. I agree with the  administrative comment that EE experts are qualified and capable to fix the issues, we are not required to go anywhere.  

Thanks guys . Special thanks to  Ssharma/Warturtle.   I believe OLT , as well as EST scanner helped to removed this annoying search conduit page from my system.

Commented:
I just removed Conduit.  It had a redirect in the hosts files which I removed.  Also, the browser toolbar was "disguised" in Add/Remove Programs.  It had a generic sounding name which I have already forgotten.  I found it by looking through the list of installed programs and looking for publisher I did not recognize.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial